Last year, authorities told residents of a Muslim-populated part of China to install JingWang, an app that scans for certain files. Now, researchers have found it transfers the collected data with no encryption.
Image: Uighurs pass the Communist Party of China flag on the wall on June 27, 2017 in Urumqi, China. (Photo by Wang HE/Getty Images)
In Xinjiang, a part of western China that a Muslim minority population calls home, the government forces residents to install an Android app that scans devices for particular files. Now, cybersecurity researchers have found that the so-called JingWang app has horrendous security practices for transferring data, and uncovered more details on what exactly the app does to phones.
China experts say the app is a continuation of China’s surveillance and oppression of the some 11 million-strong Uighur ethnic group, in an area fraught with some of the most broad human rights violations in the world.
“What we can confirm, based off the audit’s findings, is that the JingWang app is particularly insecure and is built with no safeguards in place to protect the private, personally identifying information of its users—who have been forced by the government to download and use it in the first place,” Adam Lynn, research director at the Open Technology Fund (OTF), the organization that supported the investigation of JingWang by third-party researchers, told Motherboard in an email. OTF is a US government funded program.
In 2017, authorities sent a message across WeChat, a hyper-popular chat program in China, to residents in Urumqi, the capital of Xinjiang. The message included a QR code for residents to scan and download the JingWang app.
As The New York Times has reported, Chinese authorities subject Xinjiang’s Uighur population, a culturally Muslim ethnic group, to a slew of different surveillance practices. These include X-ray scanning at supermarkets and banks, facial recognition tracking, and linking all sorts of information to an ID number. Small groups of Uighurs have violently challenged Chinese authorities, including during riots in 2009, The New York Times adds. A series of attacks in 2013 and 2014 included a mass knifing in a train station that killed 33, the Associated Press mentioned in an investigation into surveillance in Xinjiang.
Because of their distinct language, ethnicity, and culture, Chinese authorities have “always questioned their [Uighur's] political loyalty to the central government,” Sophie Richardson, China director at Human Rights Watch, told Motherboard in a phone call.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
Reinforcing and building on what Chinese users discovered when the app was launched last year, in its report OTF says JingWang scans for specific files stored on the device, including HTML, text, and images, by comparing the phone’s contents to a list of MD5 hashes. A hash is essentially a digital fingerprint of a piece of data.
According to a translation of the JingWang announcement message published by Mashable at the time, it said JingWang would “automatically detect terrorist and illegal religious videos, images, e-books and electronic documents.” Users would be told to delete any offending content with the threat of detention for up to 10 days, Mashable added.
It’s not immediately known which specific files JingWang is scanning for. OTF’s public blog post includes a list of the hashes, or the fingerprints of the files—OTF shared a list of some 47,000 hashes from the app with Motherboard. The app also has a screenshot function to capture images of the list of discovered files, OTF adds.
OTF’s report says JingWang also sends a device’s phone number, device model, MAC address, unique IMEI number, and metadata of any files found in external storage that it deems dangerous to a remote server. Motherboard found this server, unsurprisingly, is based in China, according to online records.
“This is really just the Orwellian, highly technical version of that same impulse; to gather massive amounts of information.”
As for handling that data, researchers supported by OTF found JingWang exfiltrated data without any sort of encryption, instead transferring it all in plaintext. The app updates are not digitally signed either, meaning they could be swapped for something else without a device noticing.
“The app’s technical insecurity only opens its users up to further attacks by actors aside from the Chinese government. It seem there is zero interest in protecting citizens’ information, only in using it against them,” Lynn said.
Of course, it may not be all that surprising an app designed for wide surveillance on a population doesn’t take security all that seriously, and the much broader issue is authorities forcing residents to install a piece of monitoring software in the first place. But the app still highlights China’s pervasive surveillance efforts developed over decades.
“It may also be helpful to keep in mind that this app is not first of its kind. Crime reporting/scanning apps have been introduced in smaller counties in China before they were used in Xinjiang,” Lotus Ruan, a researcher focused on China at The Citizen Lab from the Munk School of Global Affairs and the University of Toronto, and who reviewed the OTF research for Motherboard, wrote in an email.
Human Right Watch’s Richardson said, “This is really just the Orwellian, highly technical version of that same impulse; to gather massive amounts of information.”
Correction: This piece has been updated to clarify that the researchers who investigated JingWang were not from OTF itself, but that OTF supported the work of the external researchers.